A new comment XSS exploit vulnerability, being called “Zero Day”, has been found in the latest versions of WordPress: 4.2, 4.1.2, 4.1.1, and 3.9.3.
The Zero Day exploit allows an attacker to insert JavaScript into comments. An attacker could leverage this type of vulnerability to insert code into the website’s server through the plugin and theme editors.
In addition, through this exploit an attacker could also change the administrator’s password, create new administrator accounts, or do anything else that a logged-in admin would be able to do.
An attacker triggers this exploit by an posting excessively long comment exceeding the MySQL TEXT type size limit, which causes the comment to be truncated. As a result, the truncated comment results in malformed HTML being generated on the web page.
“The attacker can supply any attributes in the allowed HTML tags, in the same way as with the two recently published stored XSS vulnerabilities affecting the WordPress core.
In these two cases, the injected JavaScript apparently can’t be triggered in the administrative Dashboard so these exploits seem to require getting around comment moderation e.g. by posting one harmless comment first.”
The WordPress security team has released a patch that is now available to download, or to update through your WordPress dashboard. This is considered a critical security release for all previous versions, and an immediate update is strongly encouraged.
